So, there are fewer exploits for OS X, what’s all this vampire stuff? It is said that a vampire can only enter a private residence if invited in, and the same applies for the vast majority of OS X exploits. Almost all exploits on OS X require you (the user) to install them. You have to take a deliberate actions such as opening an e-mail attachment, running software containing malware (again, ‘patches’ claiming to circumvent licenses are a prime source of these), visiting suspect websites (links in e-mail are a prime source of links to iffy websites and should NEVER be clicked unless you know the sender – double check the real sender and reply address, never trust the display name – and recognise the actual link address – NEVER trust the link text).

Protecting your OS X machine is more about not inviting the vampire in than garlanding your environment with garlic:

1. I do not run ant-virus software (this is the equivalent of garlic, it may be effective but it stinks up the place and is only effective at close range, i.e. the vampire has already made it through the door). Anti-virus software is a massive overhead and, in most cases on OS X, provides a false sense of security and most of it has a history of creating as many problems as it solves. This is not to say I will never run anti-virus software in the future. When the threat outweighs the cost I’ll be first in line.
   I guess a case can be made that running anti-virus software helps out by catching viruses in files and attachments that might infect other OSes if we pass them on, so we would be good citizens by helping stop their spread. But this is like punishing yourself for someone else’s mistake. Having chosen a secure environment I should make it less secure and slower just so I can protect those who chose a less secure option in the first place? Where’s the sense in that?
2. I always use a firewall to block all incoming connections (except those I specifically allow for periods when I need them).
   1. Use Shields Up to check your system for open ports through which naughty people might attack.
   2. Make sure that you are not sharing any services unnecessarily. (Open System Preferences… → Sharing and make sure nothing is selected that you do not mean to be sharing, most especially things like Remote Login or Remote Management should be OFF for most people. I leave everything OFF by default and only turn on sharing when I actually need it, turning it off again as soon as I’m finished. I do this because I’m often roaming and using WiFi connections. Any time your WiFi is on you’re potentially vulnerable, so playing safe is sensible.
3. I use LittleSnitch to control all out-going traffic. This is a great little program. It’s irritating at first, but once you’ve used it for a while it is an invaluable tool in ensuring you’re aware of all the software that’s trying to connect from your machine to the outside world.
4. Leave Bluetooth and WiFi off unless actually using them. (Saves the battery too if your not plugged in.)
5. Make sure any WiFi connection is encrypted and password protected. This is especially true when using an ad hoc computer-computer network — always set a password when creating an ad hoc network!
6. Keep software up to date.
   I always install updates for any application as soon as possible, but especially security updates for OS X. It is very, very rare that this policy causes more trouble than it’s worth.
7. Never open attached files in e-mail unless certain of the source.
8. Isolate suspected Spam in the mail tool’s junk/spam folder. If possible, only review sender and titles (do not open junk mail at all, even in a preview), move any messages that are accidentally junked back into the inbox and add the sender to my address book so it is no longer junked.
9. Do not allow previews of e-mail messages to display images unless you explicitly permit it. Alternatively, view all your messages in text only previews.
   This one is more of a privacy concern (although some image handling exploits have been known). Spammers commonly use embedded images (linked back to their site) to confirm ‘live’ e-mail addresses. as soon as you open the preview your e-mail system effectively announces it’s presence by visiting the spammers site to fetch the image. Turn off images in preview and selectively turn them on for addresses you know to be safe.
10. Do not click links in e-mail unless 100% certain of both the source of the e-mail and the link.
11. When receiving unsolicited e-mail about billing or account problems from an apparently legitimate source (especially your bank!), DO NOT click the provided link. Log in to your account on the supplier’s web site manually and check your account from there. If you cannot verify the account this way, use their support, billing, or sales contact on their website and ask if the e-mail is legitimate before following any link — caution is the better part of valour.

No system is perfect and mistakes inevitably get made, but using these common sense precautions I’ve survived online pretty well problem free since before the WWW started. Sooner or later I do not doubt I’ll have a problem, it would be unreasonable to expect to spend so much time online without a problem.

Being online a lot and expected to stay problem free is a little like running back and forth across a busy highway and expecting to avoid being hit. No matter how carefully you think you are checking the road on each run, sooner or later your attention will waver, or someone will approach in a stealth car, and you’ll get hit. The best we can do is be as careful as possible (or stop using the internet/running across the highway).

Whenever you post to a blog, Facebook, MySpace, or any other forum your data is no longer yours. When you store your backup on .MAC, or any other backup service, when you use DropBox or any of he myriad storage facilities, your data is no longer yours.

At this point I hear cries of, ‘but they say it’s secured’ or ‘but only I have the password’ or ‘I only allow friends to see my profile’. Ah, but here’s the rub. None of these services is truly secure. Not only that, a glance at the license agreements we so blithely click though reveals that we absolve the companies who provide these services of any substantial responsibility to secure out data. Sure, they have a basic duty of care but this is nothing but a fig leaf. Besides, once your data is compromised it’s too late for any restitution.

One interesting issue of placing information in these services is a knotty legal nicety. Suppose you are a married man storing all of you information on Google’s services. All you financial dealing, a spreadsheet recording your income/out-goings for example. Now suppose you were to be divorced. If the information were held on a local PC (rather than on Google) then your spouse would have great difficulty getting access to the information. With it all on Google they can subpoena the information direct from Google, you would not even necessarily know they had that information. And this principle applies to more than messy divorce cases.

Hopefully these services will start to offer proper encryption services. Unfortunately at the moment there are technical issues that make proper encryption tricky if the services are to maintain their ubiquity. No doubt, if demand for proper encryption (that is encryption that makes information practically unavailable to anyone other than the owner) these issues will the resolved.

I am not saying we should not use these facilities. I do. A lot. I am simply saying that people should assume that as soon as they put data onto these facilities it will become public knowledge. This is simply the precautionary principle. It is true that for most of people putting data on-line will never be a problem, but by applying the precautionary principle you ensure that it is never a problem.

The idea that data is stored in a disparate infrastructure and processing power provided by commodity servers is hardly new, but to read the cloud computing lobby’s position you could be forgiven for thinking we were about to see something totally revolutionary.

What we are seeing of course, is the commercialisation of ideas which, until the last few years, have been maintained internally. Take any large organisation’s infrastructure in the last ten years and you have, to a large extent, the progenitor of cloud computing. Large, distributed storage facilities, large distributed server centres, and smaller local storage and processing facilities in the shape of desktop machines. Users hold most of their data on remote facilities, neither knowing nor caring about where or how they are physically stored.

There have been many attempts in the past to move from local PC computing to large commodity server processing. The irony being that early computing was based on dumb terminals and large central computing power. The cloud is slightly different, but only in that the provision of storage and service is not concentrated on one physical computer but rather spread about the internet, provided by potentially dozens of providers.

The shift to more browser based applications is no different to the shift from locally implemented drivers to operating systems. As Google are demonstrating, the shift to browser centric computing is an attempt to shift away from operating system dependence. The issue for consumers will be to protect the idea of open standards on browsers. Noticeably, even the mighty Microsoft are beginning to comply with standards in the latest incarnation of IE in order to position themselves in this emerging market.

Who benefits?

So, where does the market advantage come from for cloud computing? On the face of it the consumer will be the winner. With a crowded and competitive market of suppliers all using standards compliant protocols and browsers to deliver commodity services (no one should discount the bespoke market just yet) we can expect to get more bang for our buck in the next few years. The downside is trust.

Cloud computing in its purest form demands significant trust from users. Your data resides, not on your local machine, but ‘in the cloud’, which translates into ‘on someone else’s disks’. Google, Amazon, Microsoft, take your pick. Who do you trust with your information?

From the point of view of organisations supplying the cloud services the model turns you from a one time purchaser (when you buy your computer or software) into a revenue stream. Instead of buying software you buy access to it. Instead of buying a larger disk drive, you buy access to more on-line storage. The insidious thing about this model, from a consumer point of view, is that, like a hire purchase, seeing a few dollars each month leaving your account does not seem as painful as a large lump when you buy the computer and software but over the time you use the application you will almost certainly pay more.

It is inevitable that cloud services will be bundled in combinations that, like cable or satellite TV packages, will seem like value but in fact mean you pay for services you do not use.

Open Cloud?

Open source software is possible because many developers provide free time to developing it. You buy the hardware and they provide the software. With the cloud model open source benefits only the cloud suppliers. No longer can the consumer leverage free software into the cloud. Even if you find a cloud supplier willing to let you run an open source application on their infrastructure you will still have to pay for the run-time. It’s tough to see how open source will survive in the cloud.

Reliability

With current computing architectures there is a sense of ownership and problems with servers or storage (or your own PC) are directly under your control. If something happens then, assuming you have another PC and reliable backups, getting up an running is simple enough. Most business deal with these sort of failures every now and then, and most do so with minimal disruption to the business. With the cloud computing model there is an added risk that your supplier goes AWOL.

I have several external suppliers involved in delivering services for my business, one ISP provides my broadband connection, another provides support for my website, another supplier provides video streaming facilities, and another backup facilities. These all have high reliability promises, and they all fail periodically. When they fail I lose my on-line presence in part or as a whole. This is no major problem at the moment but as more of my business moves on-line I become increasingly aware of just how reliable a service needs to be to come close to one I own myself. The probability of system failure is the product of the probability of failure for each link in the supply chain.

Typical uptime promises offered by ISPs are 99.98%. This may seem very good until you realise that this means your ISP can meet this standard but still be completely unavailable for 1.75 hours every year. For a private individual this may not be a major problem, for a business it could be a big problem if that 1.75 hours is during a peak sale period. If there are four suppliers involved in the supply chain, each offering 99.98% reliability the worst case (assuming they meet this promise) means four lots of 1.75 hours downtime, or seven hours lost business.

There are strategies on the cloud that allow organisations and individuals to protect against failure, but at a cost.

Securing data

People do seem to be increasingly comfortable handing much of their information over to third parties. Occasionally someone will point out the inequities in a site’s terms of service, but more often than not people simply click through these without realising just what rights they are surrendering in doing so.

Certainly most information is not worth protecting too much. Does it really matter if your family holiday photo’s get out on the internet? Probably not. But what about those saucy photo’s you took with your boyfriend? These you probably would not want floating around. How about your banking details? Or some business plan you’re working on? What about that great invention that’s going to make you rich (providing someone does not beat you to the punch)? Or the blockbuster novel you’re writing? When you’re data is in the cloud it is no longer entirely under your control.

The internet is awash with horror stories of people sending e-mails without thinking of the consequences, and people losing their jobs because over perfectly innocent blog postings that their employer took exception to. The problems do not stop there once your data is in the cloud.

Consider the situation when a couple divorce. With all the data in your own local control it is fairly difficult for your ‘other half’ to get disclosure and almost impossible for them to dig around in your personal data without your knowledge. If this same information is in the cloud a simple subpoena opens the door to all that information and you are not necessarily notified that they have it.

I suspect there will be a growing market in tools to encrypt data as it goes to cloud storage, although we will all be increasingly reliant on third-party processing power if the cloud computing lobby have their way. When this happens we will be completely reliant on the storage solutions providing sufficient protection to our data as we will have no way to mediate any encryption.

As I said above, for a great deal of information it does not matter a great deal that we entrust it to the cloud (although I do take exception to sites that want some sort of ownership over, for example, my photographs just because I upload them to their disks). It is reasonable to assume that the big service suppliers have a vested interest in maintaining a good reputation for securing information. After all, clients will quickly move to another supplier if they believe their data is at risk. I for one will be very cautious about uploading anything remotely sensitive beyond the borders of my own local network without some serious encryption to which only I have the key!